Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

EMA provisioning problems

msnapka
Beginner
4,279 Views

Hello, colleagues,

as I am rather new to the topic, the way I will describe my problem may be a bit confused. I apologise in advance. However, I am out of my thoughts and IT budget and any help would be appreciated. 

 

I have tried to establish the infrastructure for the future PKI using which we want to automatically provision AMTs in all future devices in our school.

 

What I have done till now:

  1. installed a clean VM with WinSrv 2019
  2. installed MS SQL Server 2019 Express
  3. installed Intel EMA
  4. created the global admin, new tenant, tenant admin, endpoint group "Desktops" and AMT profile "amtconfig-desktops" with fake CIRA suffix so that it always connects
  5. created agent files
  6. distributed the two files across on PC classroom using PDQ Deploy (but the issue is not caused by it, later I tried to uninstall the agent and install it manually, same problem)
  7. I got to see all the installed PCs as connected in the "Desktops" endpoint list.

 

However, the AMT provisioning never occured. First I got the status "Pending activation", which later on changed to "Retry Activation on Reconnect"

 

I have not uploaded any certificate yet as I have expected the provisioning to happen in CCM, which I was able to successfully produce using ACUconfig before on the same machines. Later my plan was to add the trusted cert in order to reprovision the machines into ACM.

 

Server logs:

attached

 

Client logs:

[2022-04-27 04:23:20.831 PM] \Agent\MeshManageability\agent\core\meshctrl.c:1141 Packet is not encrypted correctly or uses an old key. Last error: 0

... (many times the same till...)

[2022-04-27 04:24:30.833 PM] \Agent\MeshManageability\agent\core\meshctrl.c:1141 Packet is not encrypted correctly or uses an old key. Last error: 0

 

Also, when I try to open up the clientIP:16990, I only get the text "Not found" instead of the diagnostics page.

 

 

Network:

colleague reported that he only sees the traffic from 8080 on the server and nothing else

 

Thank You very much and have a great day.

 

Marek

0 Kudos
5 Replies
JoseH_Intel
Moderator
4,230 Views

Hello msnapka,


Thank you for joining the Intel community


Thank you for the detailed description and all the info provided. Let me ask you which version of EMA did you install? (From the logs it seems to be v1.7.0 latest) If not let me know

How many systems are you trying to provision?

Were you able to make it work in at least 1 system for testing purposes?


You want to take a look to this article (if not already) How to Troubleshoot a Client Initiated Remote Access (CIRA)... (intel.com)


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
msnapka
Beginner
4,219 Views

Hello, Jose, thank You for Your input.

Indeed, I have downloaded the latest version, 1.7.0.0 .

 

I am trying the first batch on 20 or so computers (I sent the agent to all of the online systems in a classroom of 32). To be sure, I also tried a computer that has never been touched in the matter of AMT in a different classroom. None of the computers worked.

 

The article you sent I checked probably 20 times, however, I will run a few more tests. But let's take it point by point:

  • Determine if the system is Intel® Active Management Technology (Intel® AMT)–capable before proceeding. You can follow the instructions in the article Using the Intel® Endpoint Management Assistant Configuration tool (Intel® EMA Configuration Tool).
    • Yes, it is, I was able to configure the AMT into CCM using AMT Confuguration Utility AND check the results using MeshCommander and web browser on port 16992.
  • If a remote provisioning certificate is already installed, ensure DHCP Option15 is set to the appropriate DNS Suffix, and then skip to Step 4.
    • DHCP option 15 is set up and showing fine in ipconfig -all
    • no certificate is installed yet as I am trying to start with no certificate and CCM as the cert is quite expensive
  • Verify that the PKI DNS Suffix in Intel® Management BIOS Extension (Intel® MEBX) has been configured. This is persistent after doing a full un-provision.
    Note The only way to see the TLS PKI screen is after doing a full un-provision via EMA, ACUConfig, or directly in Intel® Management BIOS Extension (Intel® MEBX). It can be found in the Remote Setup and Configuration tab in Intel MEBX.

    This must be set to get CIRA mode.
    The DNS suffix needs to be the same as the provisioning cert. Also, you can do an ipconfig /all and verify the DNS suffix on the physical Ethernet interface.
    Setting up Intel AMT initially requires being on a wired interface before wireless is supported when activating in Admin Control Mode.

    • I expect this to be configured by EMA on a fully unprovisioned system
    • on the computers where I previously did the test unprovision using the ACU: "ACUconfig.exe /output Console /Verbose Unconfigure /AdminPassword mypassword"; nothing has been configured manually in MEBx in them before the ACU tests
    • all systems are flashed to up-to-date FW - AMT v11.8.something
  • Intel AMT CIRA makes use of the Intel AMT feature environment detection. When the endpoint system’s network domain matches the configured CIRA domain, Intel AMT will not start the CIRA connection. To force Intel AMT to always open a CIRA tunnel, enter a fake domain suffix in the CIRA intranet suffix field under General settings when creating your Intel AMT profile. This fake domain suffix should be complex enough to prevent anyone from guessing it and therefore using it to prevent a CIRA connection and open local management ports.
    • I used a random 30-character fake domain name to force the connection for the tests as shown in the Intel Business  YT channel training videos - the CIRA domain name therefore DOES NOT match and IMO should be started
    • the CIRA is IMO not the issue, if the ME itself is not activated first of all and the OS agent communication does not work - bear in mind that the server is spitting out errors about swarm server connection, the OS agent diag page is "Not found" and the client has problems with encryption in the logs
  • Verify that Local Manageability Service (LMS) drivers are installed from Intel® Management Engine Driver for Windows* 8.1 and Windows® 10 or from their Original Equipment Manufacturer (OEM) site.
    • There are no unknown devices in the device manager.
    • I can see "Intel Management Engine Interface" driver installed all right
    • still bear in mind that provisioning using ACU worked without problems, it uses the same driver set, I rule this problem out
  • Then get connection status from the Intel® Management and Security Status tool.
    • I do not have this tool. Where can I get it?
  • Verify that the network information shows link status is up and Dynamic Host Configuration Protocol (DHCP). Remote management requires DHCP. Static IP (Internet Protocol) addresses do not work.
    • DHCP serving fine, I work with the PC remotely over RDP, option 15 also fine
  • Install MeshCommander and see if the server can be seen.
    • yes, status "Not activated"
  • Check Internet Settings and what the network interface is saying.
    • all fine

 

I also tried to deploy the OS agent to a machine that was previously fully manually configured using MEBx + MeshCommander. Result was that this machine wanted me to unprovision the previously configured setup, which I did. Then I installed the agent again, the agent connected, ME status is already 20 minutes "Provisioning" and nothing else is happening. The OS agent level "Desktop" is only black screen and neither commandline, nor files, nor WMI work. The system is just useless in the current state...

 

I usually do not need to ask for help anywhere, as I work as a tech support, I can usually debug the stuff myself and solve it somehow, however, I am completely stuck in this case as the technology is too complex and unknown for me.

 

Thank You very much.

Marek

0 Kudos
JoseH_Intel
Moderator
4,208 Views

Hello msnapka,


Thank you for your detailed feedback. I understand your frustration. Intel EMA/AMT is not as user-friendly as we would like to be.


About the Intel Management and Security Status, it can be downloaded from the Microsoft Store. Intel(R) Management and Security Status - Microsoft Store Applications


Just as a test, could you try to install EMA 1.6: https://downloadmirror.intel.com/646990/Ema_Install_Package_1.6.1.0.exe


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
msnapka
Beginner
4,193 Views

Hello, Jose,

thanks for the tips. I managed to resolve the issue.  The problem is that indeed the installer is not user friendly at all and the documentation is spread between 5 places.

 

In the Quick start guide I found the following:

 

"The operating system of the machine on which SQL Server is running must be a supported operating system version and needs to have English-US Windows display language, English-US system locale, and English-US format (match Windows display language)."

 

So I reinstalled the whole VM previously running the standard Czech installation (using which we run all other servers) using a US version of Win Server 2019 and in 3 hours I got everything running after spending 4 days on the issue.

 

My only question is WHY? Why should the settings used by an application be defined by a OS language and locale? I have never seen such app behaviour in my 10 years in IT despite seeing some really weird things. It's a fricking trap for admins since neither the installer, nor the app, nor the debugging utility say a word about the reason. The OS language should have absolutely no effect on the app behaviour. Please fix this asap or at least stop the installer before somebody starts looking for the reasons of problems that do not and can not make sense to the admin.

Also You could maybe consolidate the training and learning materials to one single place and start not by "how to install Intel EMA", but what the hell should be used for the AMT management (SCS? ACU? EMA? MeshCommander? MeshCentral?) and what are the options, since the best document about the total basics are written by HP on some FTP and even those are incomplete.

 

Thank You for Your support anyway. I will probably have more questions or suggestions, but I will open those up in separate threads.

 

Have a good day,

Marek

0 Kudos
JoseH_Intel
Moderator
4,183 Views

Hello msnapka,


I am glad to hear you were able to get the EMA installation successful. Thank you for your feedback. It is pretty valuable and I will notify our senior team about it. We will proceed to mark this thread as resolved. If you have further issues or questions just go ahead and submit a new topic.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Reply